Secure Socket Layer (SSL) Certificate Check is a simple and effective way to proactively monitor issues with the SSL certificate that you have installed on your web server. Dotcom-Monitor SSL Certificate checker allows you to set up automated monitoring of the certificate expiration date, authority, and validity including intermediate certificates, etc. You can also set a certificate expiration reminder to be notified about upcoming expiration in advance.

To start with SSL Certificate monitoring, first, provide the public hostname or IP address of your server in the Hostname field. For externally available sites, the hostname should be formatted as www.hostname.com.  If the target is an IP address, it can be formatted as either an IPv4 or IPv6 address.

Then set the Time Validation threshold for the server response waiting time. If the timeout is reached the system will abort the monitoring session and return a timeout error. The timeout is set to 120 seconds by default.

Then select what SSL Certificate checks you want to run.

The following checks are available:

  • Authority: verifies whether a certificate chain contains a root certificate that is trusted, or not trusted.
  • Common Name (CN): validates that an address you navigate to matches the address certificate the address was signed to.
  • Date: verifies the certificate expiration date.
  • Revocation: validates that the certificate’s chain of trust doesn’t contain a revoked certificate.
  • Usage: verifies a certificate chain for the improper use of an intermediate certificate.
  • Expiration Reminder in Days: a reminder that notifies (as an error) about certificate expiration.

You will receive an alert if a monitored certificate expires within the reminder period. We recommend that you Silent Alerts for the corresponding SSL Certificate monitoring device until the certificate is updated on the website.

TLS Version

In addition, you can specify the version of TLS (1.0, 1.2, 1.3) to use for a check. Note that if a specific protocol version has been selected, we will not use other versions in the case when your server does not support the selected one.

DNS Options

Optionally, you can configure DNS connection settings that must be used to execute the SSL Certificate monitoring sessions.

The DNS Options feature allows users to choose how domain name server (DNS) requests are conducted during a monitoring task.

To specify the mode of resolving hostnames, in the DNS Resolve Mode section, select one of the available modes. For more details on the feature configuration, see DNS Mode Options.

The Custom DNS Hosts section allows to set up the mapping of IP addresses to hostnames. IPv6 and IPv4 DNS resolution is supported.

To specify the mapping, enter the IP address and the hostname in the corresponding fields.

Examples:

192.168.107.246   example.com user.example.com userauth.example.com tools.example.com
192.168.107.246   example.com
192.168.107.246   user.example.com
192.168.107.246   userauth.example.com

See also: DNS Mode Options.

Error Filter

You can set a filter to ignore specific error types and codes. In the Error Filter section, you can filter out certain user-configurable errors. For example, DNS errors could be filtered out based on who is responsible for DNS server operations. You can create filters that will ignore specific errors that you know may occur and are not relevant to the goal of a specific device.

In addition, you can set up the system to ignore a range of error codes using a dash, or multiple error codes using semicolons as a separator.

For example, if on one particular device, you do not care about 404 errors, you can filter them out so that you do not receive alerts when they are detected.

Note that if an error matches the filter conditions, the error will not be reflected on the reports and can’t be tracked down.